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We produce a decidable classical normal modal logic of internalised 
negation-complete or disjunctive non-monotonic interactive proofs (LDiiP) 
from an existing logical counterpart of non-monotonic or instant interac- 

Stive proofs (LiiP). LDiiP internalises agent-centric proof theories that are 
negation-complete (maximal) and consistent (and hence strictly weaker 
than, for example, Peano Arithmetic) and enjoy the disjunction property 
y—( (like Intuitionistic Logic). In other words, internalised proof theories are 

^ ultrafilters and all internalised proof goals are definite in the sense of bc- 

C*~) ing either provable or disprovable to an agent by means of disjunctive 

internalised proofs (thus also called epistemic deciders). Still, LDiiP it- 
self is classical (monotonic, non-constructive), negation- incomplete, and 
does not have the disjunction property. The price to pay for the nega- 
OO tion completeness of our interactive proofs is their non-monotonicity and 

(""*) non-communality (for singleton agent communities only). As a normal 

s ! modal logic, LDiiP enjoys a standard Kripke-semantics, which we justify 

by invoking the Axiom of Choice on LiiP's and then construct in terms 
of a concrete oracle-computable function. Our agent-centric notion of 
•^H proof is a negation-complete disjunctive explicit refinement of standard 

KD45-belief, and also yields a disjunctive but negation-incomplete explicit 
refinement of standard S5-knowledge. 

03 
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1 Introduction 



The subject matter of this paper is classical normal modal logic of interactive 
proofs, i.e., a novel modal logic of negation- complete or disjunctive interactive 
proofs (LDiiP) as well as an existing modal logic of (negation-incomplete or 
non-disjunctive) non-monotonic or instant interactive proofs (LiiP) [Kral2b]. 
(We abbreviate interactivity-related adjectives with lower-case letters.) Our 
goal here is to produce LDiiP axiomatically as well as semantically from LiiP. 
Note that here we still understand interactive proofs as sufficient evidence for 
intended resource-unbounded proof-checking agents (who are though unable to 
guess). 

1.1 Motivation 

Our immediate motivation for LDiiP is first the theoretical concept and sec- 
ond the practical application of a negation-complete variant of our interactive 
proofs [Kral2a, Kral2b]. The overarching motivation for LDiiP is to serve in 
an intuitionistic foundation of interactive computation. See [Kral2a] for a pro- 
grammatic motivation. 

1.1.1 Theoretical concept 

Like in the non-interactive setting, the motivation for negation-complete (max- 
imal) and consistent logical theories (or ultrafiltcrs [DP02]) and their external 
and internalised notions of proof is to gain cognitive, constructive, and computa- 
tional content. Recall that a logical theory T is negation- complete by definition 
if and only if (written ":iff" hereafter) for all formulas (f> in the language (say C) 
of T, <f> G T or -i <fi G T, and that T is consistent :iff _L G" T (so T^£), where 
designates negation and _L falsehood. (Inconsistent theories are trivially 
negation-complete.) Given a recursive axiomatisation 1 of and thus an external 
notion of proof for T, negation completeness and consistency corresponds to the 
meta-theorem schema hx 4> or hx ~^<t> (NC) and \/t -L , respectively. Compared 
with LDiiP 's internalised agent-centric notion of proof, negation completeness 
and consistency corresponds to the axiom schema hLDiiP (M Y a 0)VM Y a -i</> and 
l~LDiiP ->(MY a _L), respectively, where M designates a proof (message) and a an 
intended proof-checking agent. Notice that our internalisation is more concrete 
than its external counterpart in the sense that the first speaks about a concrete 
(internalised) proof (sufficient evidence) M whereas the latter only speaks about 
an abstract (external) provability hx- Hilbert hoped for a negation-complete 
consistent theory for the whole of mathematics, because, in his word, there is no 
ignorabimus about negation-complete consistent theories; in some sense, they 
are cognitively ideal: All (internalised) proof goals are definite [Mos06], here 
in the sense that their truth or falsehood can be determined unambiguously 
(and here even effectively by an agent) by means of (internalised) proofs (thus 

1 I.e., T has an algorithmically decidable set of axioms. This is a minimal requirement for 
any practical logical theory; it guarantees the rccognizability of its axioms. 
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also called epistemic deciders). Moreover, negation-complete theories, though 
necessarily non-intuitionistic (!), nevertheless enjoy the disjunction property of 
Intuitionistic Logic (IL), 2 which is that if hrL $ V </>' then hrL 4> or hiL <fi' (DP) 
[TvD88]. Thus they have considerable constructive content, and this even by 
conserving the deductive convenience of the law of the excluded middle! To see 
why negation-complete theories are necessarily classical, suppose that there is 
a non-classical negation-complete theory T (i.e., l/x and hx 4> or hx 
and derive an immediate contradiction therefrom by considering the law of right 
and left V-introduction (set ft :— -i<^>), which asserts that if hx (f> or hx ft then 
hx V ft (and is also valid in IL). In fact, for classical logical theories, negation 
completeness is classically equivalent to the disjunction property: 

Theorem 1. For classical logical theories (filters in Boolean algebras or lat- 
tices), negation completeness (maximality or being an ultrafilter) is classically 
equivalent to the disjunction property (the property of being a prime filter). 

Proof. Suppose that T is a classical logical theory with language C (i.e., for all 
4> G £, hx 4> V -i(/>). For the if-direction, suppose that for all </> G £, hx or 
h T -*<(>, and let 4>, ft G C. Let us proceed by case analysis of this disjunction. 
First suppose that hx <p- Hence hx <p or hx ft , and thus hx V ft (vacously) 
implies hx <j> or hx <j>' ■ Now suppose that hx ~<4>. Further suppose that hx 4>Vft- 
Hence hx ft, and thus hx <j) or hx ft ■ For the only-if direction, suppose that for 
all <f), 4> G £, hx 4> V (j)' implies hx 4> or hx 4>\ and let G C. Hence hx <j> v ^ 
implies hx 4> or hx ~^4>- Hence hx 4> or hx ^4> since T is classical. (See also 
[DP02].) □ 

Internalising negation-complete proof theories, LDiiP thus internalises their 
disjunction property, as the theorem schema hLDiiP (M Y a — > ((M M a <p)V 

M M a <j)'), which is why we call our internalised proofs also disjunctive. Yet given 
first, the classicality (and normality) of LDiiP, and second, Theorem 1, which 
applies to the theories that LDiiP internalises, we could as well have stipulated 
the internalised disjunction property as axiom schema and then derived the 
internalised negation completeness therefrom as theorem schema. That is, in 
arbitrary classical normal modal logics, we can make the following deduction, 
where the universal meta-quantification over <f) and (j)' in Line 1 is left implicit: 

1. h D((j) V (j)') — > (D(f) V □</>') assumed internalised disjunction property 

2. h □((/> V -"■</>) -> (D(j> V D^4>) 1, particularisation (set ft := -.</>) 

3. h 4> V classical tautology 

4. h □(</> V -■(/>) 3, necessitation (normality) 

5. h □(/> V D-xf> 2, 4, modus ponens. (internalised negation completeness) 



2 See [CZ91] for a survey of other, so-called super-intuitionistic or intermediate logics 
strictly below classical propositional logic that also enjoy the disjunction property. 
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To see also the computational content in negation-complete consistent theo- 
ries with a recursive axiomatisation as claimed in the beginning, recall from 
classical recursion theory [LdR04] that such theories are actually also recursive 
(algorithmically decidable) as a whole, i.e., not only in their set of axioms: The 
recursiveness of the axioms of a theory implies the recursive enumcrability of 
its theorems. So in order to decide whether or not cf) <G T for a given cf) e C 
in the language C of such a theory T, start the enumeration process. By the 
negation completeness of T, either <f> or ^cf> will pop up. If <f> pops up then stop, 
and conclude that (j) £ T; if -i0 pops up then stop, and conclude that <fi ^ T by 
the consistency of T. 

In summary, the cognitive, constructive, and computational content of re- 
cursively axiomatised negation-complete consistent theories is distilled in their 
maximal consistency, disjunction property, and algorithmic decidability, respec- 
tively However, their scope is far from the one of Hilbert's hope: Godel as- 
certained the negation-incompleteness of any recursively axiomatised consis- 
tent theory containing the Pcano- Arithmetic (PA) part of mathematics [LdR04, 
Fit07b]. Worse, consistent theories containing PA are also algorithmically unde- 
cidable [LdR04]. Notwithstanding, recursively axiomatised negation-complete 
consistent theories, which are thus strictly weaker than PA, are crucial for prac- 
tical applications. (Maximal consistent sets are also crucial for theoretical ap- 
plications such as the canonical-model construction for axiomatic completeness 
proofs, cf. Appendix A. 3. 2). 

1.1.2 Practical application 

Both the external as well as the internalised form of negation completeness 
have important practical applications. Important practical applications of the 
external form "h or h ^</>" of negation completeness, which have become 
classics in computer science and engineering, are logic databases and program- 
ming. There, the external form "h <f> or h ^0" classically corresponds to the 
principle of negation as failure "\/ <j> implies h ->4>" , i.e., ^cf> can be inferred 
if every possible proof of cf> fails [Cla78, Rei78]. Another important practical 

application of a modal-logical variant "1/ K a (</>) implies I K a (</>) " of negation 

as failure is artificial intelligence [Par91], where K a (0) reads as "agent a knows 
that <p (is true)." There, this epistemic variant of negation as failure produces a 
non-monotonic logic of knowledge for multi-agent distributed systems. (This is 
also the only piece of related work that we are aware of.) An important practi- 
cal applications of our internalised form h LDiiP (M Y a <fi)\J M Y a -^cf> of negation 
completeness is accountability for dependable multi-agent distributed systems 
(e.g., electronic voting systems [KR11], and, more generally, the whole Internet 
[Lan09]). A multi- agent distributed system S is accountable by definition if 
and only if S is abuse-free and auditable [KR10]: For all agents b in S, (abuse- 
freeness), whenever b behaves correctly (as an agent in S), b can prove to all 
agents a (including to herself) in S that she does so, and, (auditability), when- 
ever b behaves incorrectly (and thus is faulty) , every or at least one other agent c 
in S will eventually be able to prove to all agents a in S (including to herself and 
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b) that b is faulty, (cf. [KR10] for a formal transcription of this natural-language 
formulation). In such a system S, each agent 6's behaviour in terms of her past 
actions can be recorded in a log file [Chu09] (say M) that is broadcast; and it 
is this log file M that must be constructed so as to have sufficient evidential 
strength to constitute a negation-complete proof with respect to the proof goal 
of b behaving correctly (expressed with an atomic formula correct(fe)): 

(M V a correct^)) V M Y a -. correct(fr) 

In other words, M must constitute decisive evidence or, in yet other words, be 
an epistemic decider to a about the (ephemeral) issue of 6's correctness, (b can 
change her behaviour!) That is, LDiiP is a formal theory of epistemic deciders. 
For abuse- freeness (auditability) , the prover b (c) must (eventually) know such 
an M, written bkM (ckM). We will present formal definitions in Section 2 
and a full formal case study in future work (cf. [KR10] for a preliminary, non- 
axiomatic accountability case study). Finally, note that a piece of decisive 
evidence M for correct(&) brought to the attention of a judge a can be viewed as 
a kind of forensic trace, since M allows a to decide whether or not b is correct 
and thus to decide whether or not b is guilty of behaving incorrectly. 

1.2 Contribution 

Conceptual contributions Our conceptual contributions in this paper are 
the following. First, we produce a novel modal logic of negation-complete or 
disjunctive interactive proofs (cf. Theorem 3), which internalises agent-centric 
negation-complete consistent proof theories (enjoying the disjunction property) 
and has important theoretical and practical applications. Second, we offer the 
insights that the price to pay for negation completeness and disjunctiveness is 
the non-monotonicity and non-communality of the resulting agent-centric no- 
tion of proof (cf. Fact 1 and 5, respectively), which turns out to be also a 
negation-complete disjunctive explicit refinement of standard KD45-belief (cf. 
Corollary 2). Third, we contribute a disjunctive but negation-incomplete ex- 
plicit refinement of standard S5-knowledge (cf. Corollary 3), constructed from 
our notion of proof. 

Technical contributions Our technical contributions are the following. First, 
we provide a standard but also oracle-computational and set-theoretically con- 
structive Kripke-semantics for LDiiP (cf. Section 2.2). Like in [Kral2b], we en- 
dow the proof modality with a standard Kripke-semantics [BvB07], but whose 
accessibility relation m7£ we nrs t define constructively in terms of elementary 
set-theoretic constructions, 3 namely as mR > an d then match to an abstract se- 
mantic interface in standard form (which abstractly stipulates the characteristic 

3 in loose analogy with the set-theoretically constructive rather than the purely axiomatic 
definition of numbers [Fcf89] or ordered pairs (e.g., the now standard definition by Kuratowski, 
and other well-known definitions [Mos06]) 
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properties of the accessibility relation [Fit07a]). We will say that mR u exem- 
plifies (or realises) mR- u - (A simple example of a constructive definition of a 
modal accessibility is the well-known definition of epistemic accessibility as state 
indistinguishability defined in terms of equality of state projections [FHMV95].) 
The Kripke-semantics for LDiiP is oracle-computational in the sense that (cf. 
Definition 3) the individual proof knowledge (say M) can be thought of as being 
provided by an imaginary computation oracle, which thus acts as a hypotheti- 
cal provider and imaginary epistemic source of our interactive proofs. Second, 
we prove Theorem 2, which establishes the proof-terms-as-truth- values view as 
well as a normal form for the special case of a singleton agent universe. Third, 
we prove the finite-model property (cf. Theorem 4) and the algorithmic decid- 
ability of LDiiP (cf. Corollary 4). (Negation completeness implies algorithmic 
decidability as seen in Section 1.1.1, but not vice versa as LDiiP testifies.) 

1.3 Roadmap 

In the next section, we introduce our Logic of Disjunctive instant interactive 
Proofs (LDiiP) axiomatically by means of a compact closure operator that in- 
duces the Hilbert-style proof system that we seek. We then gain the (syntactic) 
insight that negation completeness implies non-monotonicity (cf. Fact 1), and 
prove the above-mentioned Theorem 2 as well as Corollary 2 and 3 within the 
obtained system. Next, we introduce the concretely constructed semantics as 
well as the standard abstract semantic interface for LDiiP (cf. Section 2.2), and 
prove the axiomatic adequacy of the proof system with respect to this inter- 
face (cf. Theorem 3). We justify the existence of the constructive semantics of 
LDiiP by invoking the Axiom of Choice on LiiP's (cf. Table 1) and then also con- 
struct it in terms of a concrete oracle-computable function, from which we gain 
the (semantic) insight that negation completeness implies non-communality (cf. 
Fact 5). Last but not least, we prove the finite-model property (cf. Theorem 4) 
and, therefrom, the algorithmic decidability (cf. Corollary 4) of LDiiP. 

2 LDiiP 

2.1 Syntactically 

Like the Logic of instant interactive Proofs (LiiP), the Logic of Disjunctive 
instant interactive Proofs (LDiiP) provides a modal formula language over a 
generic message term language. The formula language of LDiiP offers the propo- 
sitional constructors, a relational symbol ' k ' for constructing atomic proposi- 
tions about individual knowledge (e.g., akM), and a modal constructor 1 Y a ' 
for propositions about proofs (e.g., M)L a (j>). In brief, LDiiP is a minimal exten- 
sion of classical propositional logic with an interactively generalised additional 
operator (the proof modality) and proof-term language. Note, the language of 
LDiiP is identical to the one of LiiP [Krai 2b] modulo the proof-modality no- 
tation, which in LiiP is ' :f a ', where a acts as proof checker and C as a's peer 
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group. 

Definition 1 (The language of LDiiP). Let 

• A 7^ designate a non-empty finite set of agent names a, 6, c, etc. 

• M designate a language of message terms M such that a e M. 

• V designate a denumerable set of propositional variables P constrained 
such that for all a g A and M g M, (akM) g V (for "a knows M") is a 
distinguished variable, i.e., an atomic proposition, (for individual knowl- 
edge) 

(So a k • where a € A is a unary relational symbol.) 

• £ B <fi ::= P \ -i<fi \ (j> A 4> \ MY a (f> designate our language of logical 
formulas <f>, where M)L a <j) reads "M can disjunctively prove that to a." 

Then LDiiP has the following axiom and deduction-rule schemas, where 
grey-shading indicates the remaining essential differences to LiiP [Kral2b]. 

Definition 2 (The axioms and deduction rules of LDiiP). Let 

• r designate an adequate set of axioms for classical propositional logic 




• T 2 := Lo U ri U { 

- MY a akM (self-knowledge) 

- (M V a (0 4>')) ((M V a cf>) -». M V a 0') (Kripkc's law, K) 

- (M V a ^)^(akM^ 0) (epistemic truthfulness) 

- n(My a l) (proof consistency) 




designate the axiom schemas of LDiiP. 



Then, LDiiP := C1(0) := U„ eN CP(0), where for all r C C: 

ci°(r) := r 2 ur 

Cl n+1 (T) := cr(r) U 

{ $ I {(p,<j>^ (f>'} C Cl"(r) } U (modws ponens, MP) 
{ MY a (j) | g Cl n (r) } U (necessitation, N). 

We call LDiiP a base theory, and Cl(r) an LDiiP-theory for any fC£. 
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Notice the logical order of LDiiP, which like LiiP's is, due to propositions 
about (proofs of) propositions, higher- order propositional. From LiiP [Kral2b], 
we recall the discussions of Kripke's law (K), the law of epistemic truthfulness, 
and the law of necessitation (N): The key to the validity of K is that we under- 
stand interactive proofs as sufficient evidence for intended resource-unbounded 
proof-checking agents (who are though still unable to guess). Clearly for such 
agents, if M is sufficient evidence for and (j> then so is M for </>' . Then, the 

significance of epistemic truthfulness to interactivity is that in truly distributed 
multi-agent systems, not all proofs are known by all agents, i.e., agents are not 
omniscient with respect to messages. Otherwise, why communicate with each 
other? So there being a proof does not imply knowledge of that proof. When an 
agent a does not know the proof and the agent cannot generate the proof ex ni- 
hilo herself by guessing it, only communication from a peer, who thus acts as an 
oracle, can entail the knowledge of the proof with a. Next, the justification for 
N is that in interactive settings, validities, and thus a fortiori tautologies (in the 
strict sense of validities of the propositional fragment), are in some sense trivi- 
alities [Kral2a]. To see why, recall that modal validities are true in all pointed 
models (cf. Definition 5), and thus not worth being communicated from one 
point to another in a given model, e.g., by means of specific interactive proofs. 
(Nothing is logically more embarrassing than talking in tautologies.) There- 
fore, validities deserve arbitrary proofs. What is worth being communicated 
are truths weaker than validities, namely local truths in the standard model- 
theoretic sense (cf. Definition 5), which may not hold universally. Otherwise 
why communicate with each other? We continue to discuss the remaining, new 
axioms and rules. As mentioned, the message language M. of LDiiP is generic, 
and thus a k M will require axioms that are appropriate to the term structure 
of the chosen M <E M. (such as those required for LiiP [Krai 2b]). The axiom 
schema of self-knowledge reads "M can disjunctively prove to a that a knows 
M" , whose validity is justified by oracle computation: "if a were to receive M, 
e.g., from an oracle, then a would know M" (cf. Definition 3). (The law of 
self-knowledge is also valid in LiiP, where it corresponds to the theorem [but 
not axiom] schema M ::® a akM .) The axiom schema of proof consistency and 
negation completeness internalises (external theory) consistency and negation 
completeness, respectively (cf. Section 1.1.1). 

Now note the following macro-definitions: T := a Y a a k a, _L := -iT, 0V</>' := 
^(^0 A -.(/>'), 4> -> 4>' := -xf> V ft, and <j> ft := ((/> -> ft) A (ft -> ft). 

Proposition 1 (Hilbcrt-style proof system). Let 

• * ^LDiiP 4> :iff if $ C LDiiP then 4> e LDiiP 

• <t> +LDiiP <P' :iff {0} r-LDiiP ft and {<p'} h LDi ip 

• +LDiiP 4> :iff +LDiiP <t>- 

In other words, h-LDiiP Q2 C x C is a system of closure conditions in the sense 
of [Tay99, Definition 3.7.4]- F° r example: 
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1. for all axioms <f> E T 2 , l~LDiiP 4> 

2. for modus ponens, {0, <f) — > <P'} ^LDiiP <j>' 

3. for necessitation, {(f)} hLDiiP M- a 4>- 

(In the space-saving, horizontal Hilbert-notation 1-ldup 4 1 ", $ * s n °t a se t of 
hypotheses but a set of premises, cf. modus ponens, necessitation, and epistemic 
bitonicity.) Then hLDiiP can be viewed as being defined by a Cl-induced Hilbert- 
style proof system. In fact CI : 2 £ — > 2 £ is a standard consequence operator, 
i.e., a substitution- invariant compact closure operator. 

Proof. Like in [Kral2a]. That a Hilbert-style proof system can be viewed as 
induced by a compact closure operator is well-known (e.g., see [Gab95]); that 
CI is indeed such an operator can be verified by inspection of the inductive 
definition of CI; and substitution invariance follows from our definitional use of 
axiom schemas. 4 □ 

Corollary 1 (Normality). LDiiP is a normal modal logic. 

Proof. Jointly by Kripke's law, modus ponens, necessitation (these by defini- 
tion), and substitution invariance (cf. Proposition 1). □ 

Note that in LDiiP, an analog of the primitive LiiP-rule 

{8kM«flkM'}h L iiP (M 1 :: c a 4>) ^ M:: c a (f> (sec [Kral2b]) 

would be invalid (because incompatible with negation completeness) and thus is 
not admitted in LDiiP. A fortiori, an analog of the stronger primitive LiP-rule 

{akM ^ akM'} h LiP (M ' :^<j>) -> M : c a <p (see [Kral2a]) 

by which proof monotonicity hup {M f a <j>) — > (M, M') f a (f> under paired data 
M' can be deduced, would be invalid and thus is not admitted in LDiiP either. 
We can thus assert the following negative fact about our negation-complete 
proofs. 

Fact 1. Negation completeness implies non-monotonicity. 
Fact 2. 

1. {4> -> </>'} h LDiiP (M V a 0) -> M V a 0' (regularity) 

2. h LDiiP -n(M y a i_) o ((m y a 4>) -> -i(m y a ^ 

3. h LDiiP (M v a -,<f>) oMVj^l) 

4 Alternatively to axiom schemas, we could have used axioms together with an additional 
substitution-rule set { a[<f>] | <f> 6 Cl n (T) } in the definiens of Cl n+1 (r). 
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Proof. 1 and 2 are well-known for necessity modalities in arbitrary normal modal 
logics. For 3, consider that Kldmp ^ (<f> — > -L) since ^<p {4> -L) 1S a 
classical tautology, and then deduce hLDiiP (M Y a -«f>) -n- M Y a (4> — » _L) by 
1. □ 

We continue to present the first important result about LDiiP (cf. Theo- 
rem 2). 

Lemma 1. 

1. h LDiiP MYJ(M Y a <f>) -> 0) (self-proof of truthfulness) 

2. h LDiiP (m y a (m y a ^)) m y a $ ^ roo / d ensi ^ 

Proof. See Appendix A.l □ 

The laws of self-proof of truthfulness and proof density also hold in LiiP 
[Kral2b]. 

Theorem 2 (Proof terms as Truth values). 

1- l~LDiiP {My. a ^(f)) <H> ~^{M)L a (j)) (maximal consistency) 

2. 1-LDiiP (MY a ((f> Ac/)')) <H- ((MY a </>) AMV^') (proof conjunctions bis) 

3. h LDiiP (m y Q (0 v 0')) ^ ((m vj)vm y a ^ } ^ P b i S ; 
l h LDiiP (m y a 0')) ^ ((m y a 4>) -> m y a ^) f*r bisj 
5. h LDiiP (m y Q (4> o 0')) ((m y a 0) o m y a <//) fBi-/<r; 

6- 1-LDiiP (M y a ( M -a <A)) M -a ^ (^oda/ idempotency) 

7. 1-LDiiP i>kM->- ((MVJMV^)) O MV a 0) fmodaZ idempotency bisj 

Proof. See Appendix A. 2 □ 

"IDP" abbreviates "Internalised Disjunction Property." The laws are enu- 
merated in a (total) order that respects their respective proof prerequisites. 
Notice that Theorem 2.2-2.5 are modal distributivity laws. They assert that the 
proof modality of LDiiP is fully distributive over (binary) Boolean operators. 
While the laws of proof conjunction bis and modal idempotency also hold in 
LiiP [Kral2b], only the if-direction of the laws IDP bis and K bis hold in LiiP. 
Notice also that modal idempotency combines proof density (cf. Lemma 1.2) 
and proof transitivity (cf. Line 1 of the proof of modal idempotency). Like in 
LiiP and LiP, the key to the validity of modal idempotency is that each agent 
(e.g., a) can act herself as proof checker, see [Kral2a, Section 3.2.2] for more 
details. The law of modal idempotency bis is a generalisation of modal idem- 
potency. Observe that when |.4| = 1, Theorem 2 implies that all occurrences 
of the proof modality in a compound LDiiP-formula can be compiled away in 
the sense that all these occurrences can be pushed in front of possibly negated 
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atomic sub- formulas (i.e., literals) of the compound formula. Hence in this case, 
we can understand proof terms as truth-values in the spirit of a form of realiz- 
ability interpretation of constructive logic [Tro98, Section 7.8]. Otherwise, i.e., 
when | .A | > 1 (recall from Definition 1 that A ^ 0), it is possible that not 
all such occurrences in a compound formula can be compiled away (cf. modal 
idempotency bis, i.e., Theorem 2.7). 

The following corollary asserts that our negation-complete or disjunctive 
proof modality is an explicit refinement of the standard belief modality [MV07] . 

Corollary 2 (Negation-complete Disjunctive Explicit Belief). 'MY a -' is a 
negation-complete disjunctive KD45-modality of explicit agent belief where M 
represents the explicit evidence term that can justify agent a 's belief. 

Proof. Consider that l MY a •' satisfies Kripke's law (K, cf. Definition 2), the D- 
law (called "proof consistency" in Definition 2), the 4- law (cf. the only-if part 
of Theorem 2.6), necessitation (cf. Definition 2), and negation completeness (cf. 
Definition 2), and thus the internalised disjunction property (cf. the if-part of 
Theorem 2.3). That 'MY a •' also satisfies the 5-law can be proved as follows: 

1. 1-LDiiP ->{M Y a <j>) -> (M Y a -><)>) only-if-part of Theorem 2.1 

2. h LDi ip (M V a -,«/>) _> M V a (M V a -,«/,) only-if-part of Theorem 2.6[-><j>] 

3. r- L Diip ->(M Y a <j>) -> M Y a (M V a -,«/,) 1, 2, transitivity of -> 

4. h LDi ip (M V a -> n(MV a (/)) if-part of Theorem 2.1 

5- h LDiiP (M V q (M V a ^)) — > M M a -i(M M a 0) 4, regularity 

6- 1-LDiiP "'(M V a cj)) -> M V a -,(M V q 0) 3, 5, transitivity of -h 

□ 

In the following corollary, we construct also a disjunctive but negation- 
mcomplete explicit refinement of the standard knowledge modality [MV07, 
FHMV95, HRIO]. 

Corollary 3 (Disjunctive Explicit Knowledge), 'a kM A M Y a ■ ' is a disjunc- 
tive but negation-incomplete S5-modality of explicit agent knowledge, where M 
represents the explicit evidence term that does justify agent a 's knowledge. 

Proof. By Corollary 2 and the fact that the truth law h L DiiP (akMAMY a c/)) -> 
<p (abbreviated as T but implicit in "S5") for the modality 'akM A MY a •' is 
equivalent to the law of epistemic truthfulness (cf. Definition 2). Note that 
although the modality l akM A M^a-' is evidently disjunctive, i.e., Kldup 
(akMAMY a {<j>V <j>')) -> ((a k M A M Y a (f>) V (a k M A M Y a cj)')), it is negation- 
mcomplete: I/ldhp (a kM AM Y a <j>) V (a kM AM Y a -up), because l/ L DiiP akM, 
because of the arbitrariness of Ti (cf. Definition 2). Fixing Ti so that a resource- 
unbounded agent a unable to guess knows all messages M could only make sense 
for A = {a}. Otherwise, i.e., when all agents know all messages, why interact 
with each other? □ 
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This result is a syntactic complement to previous results from a foundational 
study about the (un) definability of S5-knowledge in terms of belief [HSS09]. 

2.2 Semantically 

We continue to present the concretely constructed semantics as well as the stan- 
dard abstract semantic interface for LDiiP, and prove the axiomatic adequacy 
of the proof system with respect to this interface. We justify the existence of 
the constructive semantics of LDiiP by invoking the Axiom of Choice on LiiP's 
[Krai 2b] and then also construct it in terms of a concrete oracle-computable 
function. 

2.2.1 Concretely 

The ingredients for the concrete semantics of LiiP, from which we will construct 
the concrete semantics of LDiiP, are displayed in Table 1. Therefrom, we will 
only need a concrete instance of S and msgs a , and an abstract instance of cl* as 
ingredients for LDiiP. Observe there that the concrete accessibility mR^ of LiiP 
is a totally defined proper (non-functional) relation. Yet we do need a concrete 
accessibility relation for LDiiP that is functional, because LDiiP's negation- 
completeness axiom corresponds to the functionality property of such a relation. 
(LDiiP's proof consistency axiom corresponds to the totality property of such 
a relation.) Fortunately, the concrete accessibility mR„ 01 LiiP is total, and so 
we know by the Axiom of Choice AC[mRJ;], which we may thus apply to mR^, 
that mR„ can be "functionalised," that is [Mos06], 

for all s£5, there is s' e S such that s mRq s ' implies 

v v ✓ 

1S total 

there is / : S ->• S such that for all s£5,s M R„ f( s ) ■ (AC[ M Rf]) 

s v > 

can b e "functionalised" 

Notice that the Axiom of Choice is non-constructive in that it abstractly asserts 
the conditional existence of a certain / but without actually providing a concrete 
example of such an /. Thus our problem now is to find such an / for AfR-ai 
which will allow us to construct a functional concrete accessibility for LDiiP. In 
Definition 3, we construct such an / as an oracle-computational function a^ 1 on 
concrete states constructed inductively in terms of certain generalised successor 
functions. The essential differences in Definition 3 to Table 1 are grey-shaded. 

Definition 3 (Semantic ingredients). For the set-theoretically constructive, 
model-theoretic study of LDiiP let 

• S 3 s ::= | succ* f (s) , where can be understood as a zero data point 

(representing an initial state for example), and succ^ can be read as 
"agent a receives message M (for example from another agent acting as 
an oracle)" 
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Table 1: Semantic ingredients for LiiP [Kral2b] (partially reused here for LDiiP) 



Let 



5 9 s designate the state space — a set of system, states s 

msgs a : S — > 2 M designate a raw-data extractor that extracts (without 
analysing) the (finite) set of messages from a system state s that agent a £ A 
has either generated (assuming that only a can generate a's signature) or else 
received as such (not only as a strict subterm of another message); that is, 
msgs a (s) is a's data base in s 

cl„ : 2 M — > 2 M designate a data-mining operator such that cll(V) := 
cl a (msgs a (s) UP) := U neN cl"(msgs a (s) U X>), where for all V C M: 

cl°CD) := {a} U V 

cT+\V) := c\:(V)U 

{ (M, M') | {M, M'} C c\2(V) } U (pairing) 

{ M,M \ (M, M') £ c\l{V) } U (unpairing) 

{ {[Af]} a | M £ cl"(D) } U (personal signature synthesis) 

{ (M, b) | {[M]^ G cl"(r>) } (universal signature analysis) 

<a' Q S x S designate a data preorder on states such that for all s,s' G 5, 
s <^f s' :iff clJ({M}) = cl° (0), were M can be viewed as oracle input in 
addition to a's individual-knowledge base cla(0) (cf. also [Kral2a, Section 2.2]) 

<c' := (Uaec <a f ) ++ > where 1++ ' designates the closure operation of so-called 

generalised transitivity in the sense that <£ f o <£* C < ( C M ' M > 

= a := <a designate an equivalence relation of state indistmguishability 

mRo x 5 designate a concretely constructed accessibility relation — short, 
concrete accessibility — for the non-monotonic proof modality of LiiP such that 
for all s, s' G 5, 



s mRo s :iff s G [J [s]= 

s < CU f fl i s and 
M £ clj(0) 

(iff there is s G <S s.t. s <cu{a} s and M G cl„(0) and s = a s'). 
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msgs a : S — > 2 M be such that 

msgs a (0) := 



msgs a (succf (s)) : 



msgs a (s) U {M} if a = b, and 
msgs a ( s ) otherwise 



• cl a : 2 M — > 2^ designate a compact closure operator and define cl* : 
2 M 2-^ such that := cl a (msgs a ( S ) U 2?) := U„ eN <(msgs a ( S ) U 
V) 

• (7 a M :5^5be such that of(s) := 



s if Me cl*(0), and 

succ* f (s) otherwise (oracle i 



input) 



• AfR a Q SxS designate a concretely constructed accessibility relation — 
short, concrete accessibility — for the negation-complete disjunctive proof 
modality such that for all s,s' G S, 



Fact 3. 

1. of (and thus mR-o) i s oracle-computable. 

2. If cl a is polynomial-time computable then so is of (and thus mR<j)- 

Proof. Clearly if cl a is computable then of is computable, and similarly for 
2. □ 

In particular when cl = id 2 ^, that is, when cl a is the identity function 
on 2 M (a performs no data-mining operations), nfR a i s polynomial-time com- 
putable. 

Fact 4. For of, fix cl a as in Table 1. Then: 

1. for all se 5, s M R c a of(s); 

2. M R a C M Rl (and M Rl Q M R c a [Kral2b]). 

Proof. Fix cl a as in Table 1. For 1, consider that s <f of (s) and thus s <cu{a} 

of (s), M £ <" (s) (0), and erf (s) = a of (s) in Table 1. Hence there is s e S 
such that s <fj^ a j § and M e cl*(0) and s = a of (s). (In reverse, of can be 
used as a Skolem-function for the existential quantifier in the previous statement 
and thus in the definiens of mRq in Table 1.) For 2, inspect 1 and definitions. □ 

Hence we have indeed found in of an instance of an / for mR« whose 
existence AC[mRo] postulates and thus indeed constructed a functional total 
sub-relation mR of mR« — from mR^ itself (as a Skolemnisation of its definiens). 
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However notice that we have lost C in jv/R a , because a^f simply disregards C. 
This is the price for the functionality of mR q - Actually, mR-o, (f° r LDiiP) is a 
functional analog of <ff (for LiiP, see Table 1). And it is impossible to construct 
a functional analog of mR-o from a union of mR over C, because such a union of 
functions need not be a function anymore. In contrast, it is possible to construct 
a functional analog of mRo from an intersection of mR<j over ^, since such an 
intersection of functions is again a function. Yet unfortunately it then need not 
be total anymore! We can thus assert the following negative fact about our 
negation-complete proofs. 

Fact 5. Negation-completeness implies non-communality. 

This fact could be useful to establish the theoretical and thus also prac- 
tical impossibility of engineering social procedures [PP06] for which negation 
completeness would be a necessary condition. Due to the same fact, there is 
no community parameter C in ' Y a ' and, in particular, no LDiiP-analog of the 
LiiP-axiom 

h LiiP (M :: c a uc ' cj>) M :: c a <j> (see [Kral2b]). 

Note that if we were to mix LiiP- and LDiiP-modalities in a single logic, the for- 
mula (M 4>) —> M Y a <j) would be a sound axiom in that logic due to Fact 4.2. 

Proposition 2. 

1. there is s' € S such that s MR a s ' (seriality /totality) 

2. if s mR„ s' and s MR a s " then s' = s" (determinism/functionality) 

3. if M <G cl*(0) then s mR„ s (conditional reflexivity) 
4- if s mRq s ' then M G cl„ (0) (epistemic image) 

Proof. By inspection of definitions. (For 4, consider that M e cl^ ucc " (s) (0).) □ 

2.2.2 Abstractly 

We now continue to present the abstract semantic interface for LDiiP, and prove 
the axiomatic adequacy of the proof system with respect to it. 

Definition 4 (Kripke- model) . We define the satisfaction relation ' \=' for LDiiP 
in Table 2, where 

• V : V — > 2 s designates a usual valuation function, yet partially predefined 
such that for all a & A and M e A4, 

V(akM) { s e S \ M e cl*(0) } 

for S assumed abstract (and thus general) like in Tabic 1 and cl* like in 
Definition 3 but with msgs a abstract (and thus general) like in Table 1 
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Table 2: Satisfaction relation 



(e,v),s\=p 


:iff 


s e v(P) 


(6,V), S |=^ 


:iff 


not (6,V),s h 


(6,V),a \=<f>A<f/ 


:iff 


(6,V),s |= and (6,V),s |= 0' 


(6,V), S hMVJ 


:iff 


for all s' e 5, if s M ^„ s' then (6, V), s' |= 4> 



• 6 := (5, {jfKjMeM.aei) designates a (modal) frame for LDiiP with an 
abstractly constrained accessibility relation — short, abstract accessi- 
bility — M^-a — <S x <5 for the negation-complete disjunctive proof modality 
such that — the semantic interface: 

— there is s' e 5 such that s M^ a s ' (seriality/totality) 

— if s mR-ci s ' an d s M^-a s " then s' = s" (determinism/functionality) 

— if M € cl*(0) then s M^ a s (conditional reflexivity) 

— if s MR- a s' then M £ c\ s a (0) (cpistemic image) 

• (6, V) designates a (modal) model for LDiiP. 

Looking back, we recognise that Proposition 2 actually establishes the im- 
portant fact that our concrete accessibility MP a i n Definition 3 realises all the 
properties stipulated by our abstract accessibility MlZ a in Definition 4; we say 
that 

mR„ exemplifies (or realises) mR, u . 

Theorem 3 (Axiomatic adequacy). hLDiiP is adequate for \=, i.e.,: 

1- «/l~LDiiP 4> then \— <ft (axiomatic soundness) 

2. if\=<j) then hLDiiP <P (semantic completeness). 

Proof. Both parts can be proved with standard means: soundness follows as 
usual from the admissibility of the axioms and rules (cf. Appendix A. 3.1); 
and completeness follows by means of the classical construction of canonical 
models, using Lindenbaum's construction of maximally consistent sets (cf. Ap- 
pendix A.3.2). □ 

Theorem 4 (Finite- model property). For any LDiiP -model DJl, if 031, s |= (f> 
then there is a finite LDiiP-model 9Jtfi n such that 9Jlfi n , s \= <f>. 

Proof. By the fact that the minimal filtration [GO07] 

^flt n,r : = («S/~r> {hfR-T^} MeM,aeA, Vr) 

of any LDiiP-model SSJt := (<S, {MR^MeM^eA, V) through a finite r C C 
is a finite LDiiP-model such that for all 7 G T, DJl, s |= 7 if and only if 
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9Jt™' r , [s]^ r |= 7. Following [GO07] for our setting, we define 

= {(s,s')e5x5| for all 7 G T, DJt, s |= 7 iff 3JI, s' |= 7 } 

= { (M~r,[s']~r) I (s,s')e M 1l a } 

= { [sU \sGV(P) }. 

We further fix M G cll sl ~ r (0) :iff [s]~ r G V r (akM), and choose T to be the 
(finite) sub-formula closure of <ft. Hence, we are left to prove that 9Jt^ t in ' r is 
indeed an LDiiP-model, which means that we are left to prove that M^-™ ln ' r 
has all the properties stipulated by the semantic interface of LDiiP: 

• M^™ ln,r inherits seriality /totality as well as determinism/functionality 
from M^ al as can be seen by inspecting the definition of A/7\L" nn ' r ; 

• for conditional reflexivity, suppose that M G cl a ~ r (0). Thus consec- 
utively: [s]~ r G Vr(akM) by definition, s G V(akM) by definition, 
M G cl*(0) by definition, s MlZ a s by the conditional reflexivity of mR-^ 
and finally [s]~ r M^™ ln ' r [s]~ r by definition; 

• for the epistemic- image property, suppose that [s]^ r M^™ m ' r I s '] ~r- Thus 
consecutively: s uR- a s' by definition, M G cl* (0) by the epistemic- 
image property of MlZ a , s' G V(akM) by definition, [s']~ r G Vr(akM) 

by definition, and finally M G cl a ~ r (0) by definition. 

□ 

Corollary 4 (Algorithmic decidability). LDiiP is algorithmically decidable. 

Proof. In order to algorithmically decide whether or not ll <j> G LDiiP" (that is, 
"l~LDiiP (/>"), axiomatic adequacy allows us to check whether or not ~^<p is locally 
satisfiable (that is, whether or not "971, s |= ^</>" for some LDiiP-model 9Jt and 
state s). But then, the finite-model property of LDiiP allows us to enumerate 
all finite LDiiP-models 9Jtfi n up to a size of at most 2 to the power of the size n 
of the sub-formula closure of -i</> and to check whether or not "9JTfi n , s \= -i<£". 
(There are at most 2™ equivalence classes for n formulas.) □ 

So in some sense, we have proved the algorithmic decidability of the epis- 
temic decisiveness of the evidence terms in LDiiP. Note that the algorithmic 
complexity of LDiiP will depend on the specific choice of Fi in Definition 2. 

3 Conclusion 

We have produced LDiiP from LiiP with as main contributions those described 
in Section 1.2. In future work, we shall work out dynamic and first-order ex- 
tensions of LDiiP as well as the preliminary case study [KR10] mentioned in 
Section 1.1.2. 



T) min.r 
Ml<- a 

Vr(P) 
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A Remaing proofs 

A.l Proof of Lemma 1 

1. (a) Kdup (M V a 4>) ( a k M -> 0) 

(b) h LDiiP akM4 ((M Y a 0) 0) 

(c) h LDiiP (M V a (a k M)) -> M V a ((M Y a 0) 

(d) h LDiiP MY a akM 

(e) h LDiiP My a py a ^^) 

2. (a) h LDiiP My a py a ^^) 



epistemic truthfulness 
a, PL 

>) b, regularity 

self-knowledge 
c, d, PL. 



b) Lemma 1.1 

(b) h LDiiP (m y a ((m y a 0) 0)) ^ ((m y a (m y a 0)) ^ M y a 0) k 

(c) h LDiiP (m y a (m y a ^)) M y a 4, a , b, pl. 



A.2 

l. 



-n(MV o ^)) 



Proof of Theorem 2 

(a) h LDiiP n(iy a i) 

(b) h LDiiP .(My a i)Hpy^) 

(c) h LDiiP (MVJ)4n(My o ^) 

(d) h LDiiP (My o ^)4n(MV» 
(c) h LDiiP (MV a 0) V MV a ^ 

(f) h LDiiP .(MV^)^My a ^ 

(g) Kdup (Jfy B ^)«n(JfV^) 

2. (a) h LDiiP -> (</>' -> (<£ A 0')) 

(b) h LDiiP (MV^)^MV a (^ 

(c) h LDiiP (My a (^(^A^)))- 

(d) h LDiiP (MV a 0)^(( M y a 0')_ 
(c) h LDiiP py^)AMV^')4 

(f) ^LDiiP O A 0') -> 

(g) Kdup (m y o (0 a </»')) 4iyj 

(h) h LDiiP {<f>A<f/)-Kf/ 

(i) Kdup (My a (^^))^My a ^' 

(j) Kdup (MY a (<l> A <!>'))-> ((MV a , 

(k) h LDiiP ((m y a 0) a m y a ^) «-> m y a ^ A <t>') 

3. (a) h LDiiP (M V a (0 v 0')) HMV„nHA -,<//) 



(<M0')) 
>((MV a 0') 

^MV a (0 A 0')) 
MV a (0 A( f/) 



proof consistency 
Fact 2 

a, b, PL 

c, PL 

negation completeness 
e, PL 

d, f, PL. 

tautology 
a, regularity 
>MY a (cj>Acj>')) K 

b, c, PL 

d, PL 
tautology 

f, regularity 
tautology 
h, regularity 
g, i, PL 

e, j, PL. 

definition 
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(b) 


l~LDiiP 


(m y a ^ A -0')) -i(m y a a ^/)) 


Theorem 2.1 




(c) 


l~LDiiP 


(M V a (</> V 0')) -H> -i(M M a (-0 A -0')) 


a, b, PL 




(d) 


I^LDiiP 


(m y a a -^')) -*t>) a m y a ^) 


Theorem 2.2 




(e) 


I^LDiiP 


-i(M V a A -.<£')) -a ^) A M V a -,0') d, PL 




(f) 


l~LDiiP 


(m y a (0 v <//)) ^ -((m y a -n0) a m y a ^) 


c, e, PL 




(g) 


1 

i~LDiiP 


-n((M y a -n^) a m y a ^ (->(m y a ^) v -(m y a ^/)) pl 




/I \ 

(h) 


I^LDiiP 


(m y a (0 v </»')) km y a -.0) v.(My a )) 


f, g, PL 




(i) 


1 

i~LDiiP 


(MV a ^)o-(MV a 0) 


Theorem 2.1 




0) 


I^LDiiP 


n(MV o ^)H(MY^) 


i, PL 




(k) 


I^LDiiP 


(MV a ^')on(Myj') 


Theorem 2.1 




(h 
\ l ) 


I^LDiiP 


n(My a ^')«(MV a /) 


k, PL 




(m) 


l~LDiiP 


(Mv a (0 V 0'))^((My Q 0)vMy Q 0') 


h,j, 1, PL. 


4. 


(a) 


I^LDiiP 


((m y a 0) m y a km y a 0) v m y a 0') 


definition 




(b) 


I^LDiiP 


(MV a ^)H.(MV^) 


Theorem 2.1 




(c) 


I^LDiiP 


((m y a 0) M y a o ((m y a ^) v m y a 0') 


a, b, PL 




(d) 


I^LDiiP 


(m y a v #)) ^ ((m y a ^) v m y a 0') 


Theorem 2.3 




(e) 


l~LDiiP 


((m y a 0) m y a o m y a v <//) 


c, d, PL 




(f) 


I^LDiiP 




e, definition. 


5. 


by Theorem 2.2 and 2.4. 




6. 


(a) 


I^LDiiP 


(MV a (Myj))^MV^ 


Lemma 1.2 




(b) 


I^LDiiP 


(My a (My o ^))4My s ^ 


Lemma 1.2 




(c) 


I^LDiiP 


n(My 8 ^)4n(MV (MV„^)) 


b, PL 




(d) 


l~LDiiP 


(My a ^)H.(MV^) 


Theorem 2.1 




(e) 


I^LDiiP 


.(MV o ^)h(MV^) 


d, PL 




(f) 


I^LDiiP 


(MV a 0)^^(MV a (MV a ^)) 


c, e, PL 




(g) 


I^LDiiP 


(m y a (m y a ^))HMy a , (M y a 0) 


d, regularity 




(h) 


I^LDiiP 


-n(MV a (My B n^))«n(My fl n(My a ^)) 


g, PL 




(i) 


l~LDiiP 


(My^)^.(MV a .(MV^)) 


f, h, PL 




(j) 


I^LDiiP 


(m y a n(My^))o^(M y a (M y a 0)) 


Theorem 2.1 




(k) 


I^LDiiP 


,(My„,(My^))HMV a (MV a 0) 


j, PL 




(1) 


I^LDiiP 


(M V a 0) -> M V a (M V a 0) i, k, PL; (proof transitivity) 




(m) 


I^LDiiP 


(My a (My^))HMy^ 


a, 1, PL. 


7. 


(a) 


l~LDiiP 


6 k M -> ((M y 6 (M y o ^))4My o 0) epistemic truthfulness, 






PL 
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(b) 
(c) 
(d) 
(e) 
(f) 
(g) 
(h) 

(i) 
(j) 
(k) 

(1) 

(m) 



I^LDiiP 
I^LDiiP 
I^LDiiP 
l~LDiiP 
I^LDiiP 
I^LDiiP 
I^LDiiP 
I^LDiiP 
l~LDiiP 
I^LDiiP 
I^LDiiP 
l~LDiiP 



bkM -» ((MV t (MV a ^)) -+ MV a ^) 
6kM^HMV„ -4- -i(M M b (M v a -^))) 
(MV a ^)o-(MV a 0) 
.(MV a ^)«(MV^) 

6 k m -> ((m y a 4>) -> ^(m y b (m y a ^))) 
(My t (My a ^)^My r (MY a ^) 
-n(M y 6 (m y Q -n^)) H.(iy r (M y a 0)) 

6kM-> ((MV» -> -(MV r (MVJ))) 

(m y 6 -(m y Q 0)) H.(My t (m y a 0)) 

6kM^((MV Q 0)^My b (My a 0)) 

&kM^py 6 (My^))«My^) 



Theorem 2.1 



b, PL 
Theorem 2.1 



d, regularity 



j, PL 
i, k, PL 
a, 1, PL. 



d, PL 

c, e, PL 



g, PL 
f, h, PL 



dito a 



A.3 Proof of Theorem 3 
A. 3.1 Axiomatic soundness 
Definition 5 (Truth & Validity [BvB07]). 

• The formula </> £ C is true (or satisfied) in the model (6,V) at the state 
s eS :iff (6,V),s h 0- 

• The formula is satisfiable in the model (6,V) :iff there is s <G 5 such 
that (6,V),s h <£■ 

• The formula <j> is globally true (or globally satisfied) in the model (6,V), 
written (6, V) |= 4>, :iff for all s e 5, (6, V), s |= 0. 

• The formula <f> is satisfiable :iff there is a model (6, V) and a state seS 
such that (&,V),s \= </>. 

• The formula <f> is waZirf, written |= <p, :iff for all models (6, V), (6, V) |= <f>. 
Proposition 3 (Admissibility of LDiiP-specific axioms and rules). 

1. \=MY a akM 

2. h (m y a (^ 0')) ((m y a 0) _> M y a 0') 

5. |= (AfV o ^) -> (akM -> 0) 

4- |=-(MV o _L) 

5. |=(My o ^)vMy o ^ 

6. 7/ |= 4> then \= M Y a 

Proof. 1 follows directly from the epistemic- image property of M^ a ; 2 and 6 
hold by the fact that LiiP has a standard Kripke-semantics; 3 follows directly 
from the conditional reflexivity of ^{IZ a , and 4 and 5 from the seriality /totality 
and the determinism/functionality of MR- a , respectively. □ 
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A. 3. 2 Semantic completeness 

For all 4> e £, if |= cfi then Kldup <f>- 
Proof. Let 

• W designate the set of all maximally LDiiP-consistent sets 5 

• for all w, w' G W, w MC a w' :iff { <f> G £ \ M Y a (f> G 10 } C w' 

• for all w G W, to G V C (P) :iff Pew. 

Then 9Jtc := (W, {MC a }MsM,oe^li Vc) designates the canonical model for 
LDiiP. Following Fitting [Fit07a, Section 2.2], the following useful property of 

for all </> G £ and w G W, € w if and only if dJlc, w \= <j>, 
the so-called Truth Lemma, can be proved by induction on the structure of (f>: 

1. Base case (4> := P for P G V). For all w G W, P € to if and only if 
9Hc, u> |= P, by definition of Vc- 

2. Inductive step := -><j/ for 0' G £). Suppose that for all w G W, 4>' £ w 
if and only if 9Jlc,w |= 0'- Further let u> G W. Then, -xj>' G w if and 
only if <j>' £ w — w is consistent — if and only if 9Jlc ,w Y= <j>' — by the 
induction hypothesis — if and only if 37lc, w \= -xf>' . 

3. Inductive step (<j> '■— 4>' A <j>" for <f)' , <f)" G £). Suppose that for all w G W, 
(j)' G w if and only if 97tc,w |= 0', and that for all w G W, 0" G w if 
and only if 97t c ,w; h <t>" ■ Further let w G W. Then, 0' A 0" G to if 
and only if ((/>' G u> and <f>" G w), because w is maximal. Now suppose 
that <f>' € w and 0" G w. Hence, 031q,w |= and 9Jtc,w |= 0", by the 
induction hypotheses, and thus 97lc, w |= <t>' A<f>" . Conversely, suppose that 
9Jt c , w \= 4>' A (j)". Then, 9Jt c , w\=<j>' and 9Jt c , H= 0". Hence, few and 
</>" G w, by the induction hypotheses. Thus, (</>' G w and 0" G w) if and 
only if (Mc,w \= 4>' and 97l c , w |= 0")- Whence <f>' A 4>" G w if and only if 
(37lc,w \= <t>' and 9Jtc,?« |= <f>"), by transitivity. 

4. Inductive step (<j> := M Y a 0' for M e M, a € .4, and G £). 

5 * A set W of LDiiP-formulas is maximally LDiiP-consistent :iff W is LDiiP-consistent 
and W has no proper superset that is LDiiP-consistent. A set W of LDiiP-formulas is LDiiP- 
consistent :iff W is not LDiiP-inconsistent. A set W of LDiiP-formulas is LDiiP-inconsistent 
:iff there is a finite W C W such that ((A W) ->• _L) 6 LDiiP. Any LDiiP-consistent set 
can be extended to a maximally LDiiP-consistent set by means of the Lindenbaum Con- 
struction [Fit07a, Page 90]. A set is maximally LDiiP-consistent if and only if the set of 
logical-equivalence classes of the set is an ultrafilter of the Lindenbaum- Tarski algebra of 
LDiiP [Ven07, Page 351]. The canonical frame is isomorphic to the ultrafilter frame of that 
Lindenbaum- Tarski algebra [Ven07, Page 352]. 
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4.1 for all to € W, </>' G to if and only if !Dtc, to |= 0' ind. hyp. 

4.2 to G W hyp. 

4.3 MY a faew hyp. 

4.4 to' G W hyp. 

4.5 to jv?C a to' hyp. 

4.6 { 0" G £ | MV s f g u, } C to' 4.5 

4.7 0' e { ^" G £ | My a 0" g u, } 4.3,4.6 

4.8 0' G w' 4.6, 4.7 

4.9 OTcXM' 4.1,4.4,4.8 

4.10 if to mC u/ then 9Jt c , «/ h 0' 4.5-4.9 

4.11 for all w' G W, if w MC a w' then DJt c , w' \= fa 4.4-4.10 

4.12 fm c ,w\=M)l a (f>' 4.11 

4.13 MV a 4>'gw hyp. 

4.14 T = { fa' e £ \ MY a fa' e w }U {^fa} hyp. 

4.15 J- is LDiiP-inconsistent hyp. 

4.16 there is {MY a fa, . . . , MY a fa} C to such that 

^LDiiP (^l A ... A fa A -¥ -L 4.14, 4.15 

4.17 {Afy a l7 ... j My Q 0„}c W and 

1-LDiiP (fa A ... A fa A -.<£') -> _L hyp. 

4.18 h LDiiP (0i A ... A </>„) — > 0' 4.17 

4.19 h LDiiP (My a (0 lA ...A0„))^MV a( / ) '4.18, regularity 

4.20 h LmiP ((MY a fa)A...A(MY a fa))^ MY a fa 4.19 

4.21 MY a faew 4.17, 4.20, to is maximal 

4.22 false 4.13, 4.21 

4.23 false 4.16, 4.17-4.22 

4.24 T is LDiiP-consistent 4.15-4.23 

4.25 there is w' D T s.t. to' is maximally LDiiP-consistent 4.24 

4.26 T C w' and to' is maximally LDiiP-consistent hyp. 

4.27 { fa' e £ \ MY a fa' e w } C T 4.14 

4.28 { fa' G £ | MV q 0" G to } C to' 4.26, 4.27 

4.29 to mC q to' 4.28 

4.30 w' G W 4.26 

4.31 -.0' G J 7 4.14 

4.32 -.(/>' G to' 4.26, 4.31 

4.33 fa & w' 4.26 (to' is LDiiP-consistent), 4.32 

4.34 Mcw'^fa 4.1,4.33 

4.35 there is w' G W s.t. to jwC a to' and 9Jt c , «/ ^ 0' 4.29, 4.34 
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4.37 



4.36 



4.38 



m Cl w ft MY a <j/ 
M c ,w ft MY a 4>' 
Mc,w ft MY a (f>' 



4.25, 4.26-4.36 
4.14-4.37 



4.35 



4.39 MY a 0' g w if and only if DJlc,w ft MY a <f>' 4.3-4.12,4.13-4.38 

4.40 for all w e W, MY a $ g «, if and only if 9tt c , to |= M Y a ^'4.2-4.39 

With the Truth Lemma we can now prove that for all G jC, if I/lduP 4> then 
ft 4>. Let 4> g £, and suppose that 1/LDiiP </>■ Thus, {^0} is LDiiP-consistent, 
and can be extended to a maximally LDiiP-consistent set w, i.e., —t<f> g u> g W. 
Hence 9Jtc,w |= _, ^>, by the Truth Lemma. Thus: 93tc,u> ^ 9#c ft 4>, and 
^= That is, DJlc is a universal (for a/Z (J £ £) counter-model (if is a 
non-theorem then 2Hc falsifies 0). 

We are left to prove that 9Jtc is also an LDiiP-model. So let us instantiate 
our data mining operator cl a (cf. Page 13) on W by letting for all w g W 



and let us prove that: 

1. there is w' g W such that w mC io' 

2. if w a^C and w mC u w" then «/ = w" 

3. if M g cl™(0) then io iiC a w 

4. if io JM C w' then M g cl™'(0). 

For (1), let w g W and </> G £, and suppose that MY a <fi G w. For the 
sake of deriving the contrary, further suppose that <j> £ w. Hence ^<j) G w 
because w is maximal, and thus ^IGjb. Hence (M Y a 0) — » M Y a _L g w by 
regularity. Hence M Y a _L g u> by the first supposition and modus ponens. Hence 
-i(M Y a _L) G" w because to is consistent. Yet since w is maximal, -i(M Y a _L) g w 
(proof consistency). Contradiction. Hence w is actually a w' such that (j> g w'. 

For (2), let us first prove the following, so-called Reflection Lemma: 



So suppose that 

• M)L a 4> £ w. Hence ^(MY a 0) g w because w is maximal. Since iv is 
maximal, ^(MY a </>) — > M)L a ^<f> g to (negation completeness). Hence 
M Y a ^(f> g to by modus ponens. 

• MY a ^(f> g to. Since to is maximal, (MY a -«j>) -> ->(MY a ->-xj>) g w 
(proof consistency). Hence ^(MY a ^^</>) g to by modus ponens. Since 
w is maximal, -4- g w. Hence (M M 0) — >• M Y a g w by 
regularity. Hence -i(MV o -i-i^) — > -i(MY. o 0) g w by contraposition. 
Hence ^(M Y a 0) g w by modus ponens. Hence MY a (f> £ to because to is 
consistent. 



msgs a (w) := { M | akM g w }, 



M M a ^ w if and only if M^^g to. 
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Now for (2), let w,w',w" <G W and suppose that w mC u w' and w MC a w" . 
That is, (for all </> e C, if M Y a 4> e w then <j> e u/) and (for all <f> e £, if 
MY a (j) e w then e w"). Now let € £ and suppose that 

• <f> G w'. Hence ^0 ^ w' because w is consistent. Hence M)L a ^4> £ w 
by particularisation of the first supposition with ^<p an d modus tollens. 
Hence MY a <fi £ w by the Reflection Lemma. Hence <j> € io" by the second 
supposition and modus ponens. 

• <p € tu". Hence € «/ — symmetrically. 

For (3), let w e W and suppose that M e cl„ (0). Hence okM e to due to 
the maximality of w. Further suppose that MY a <fi e w. Since w is maximal, 

(MY a (j>) — > (a k M — > e io (epistemic truthfulness). 

Hence, akM^^ett), and </> e w, by consecutive modus ponens. 

For (4), let w, w' £ W and suppose that u> jvtfC a to'- That is, for all <f> £ C, if 
A'/ Y a </> e u> then <f> e w' . Since w is maximal, 

MY a akMeu; (self-knowledge) . 

Hence akMeiu'by particularisation of the supposition, and thus M e cl™ (0) 
by the definition of cl™ . 

□ 
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